Skip to content

Commit

Permalink
filters: implement parent binary export filter
Browse files Browse the repository at this point in the history
Implement a new export filter that can filter over parent binary names
using RE2 regular expressions.

Signed-off-by: willfindlay <will@isovalent.com>
  • Loading branch information
willfindlay committed Jun 24, 2024
1 parent e0ba8f7 commit 4a3623f
Showing 12 changed files with 125 additions and 10 deletions.
1 change: 1 addition & 0 deletions api/v1/README.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 14 additions & 2 deletions api/v1/tetragon/events.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions api/v1/tetragon/events.proto
Original file line number Diff line number Diff line change
@@ -57,6 +57,8 @@ message Filter {
repeated string policy_names = 10;
// Filter events by Linux process capability
CapFilter capabilities = 11;
// Filter parent process' binary using RE2 regular expression syntax.
repeated string parent_binary_regex = 12;
}

// Filter over a set of Linux process capabilities. See `message Capabilities`

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions docs/content/en/docs/concepts/events.md
Original file line number Diff line number Diff line change
@@ -161,6 +161,7 @@ flags, or environment variables.
| `labels` | Filter events by pod labels using [Kubernetes label selector syntax](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) Note that this filter never matches events without the pod field (i.e. host process events). |
| `policy_names` | Filter events by tracing policy names. |
| `capabilities` | Filter events by Linux process capability. |
| `parent_binary_regex` | Filter process events by a list of regular expressions of parent process binary names (e.g. `"^/home/kubernetes/bin/kubelet$"`). You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). |

#### Field Filtering

1 change: 1 addition & 0 deletions docs/content/en/docs/reference/grpc-api.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 24 additions & 4 deletions pkg/filters/binary_regex.go
Original file line number Diff line number Diff line change
@@ -13,7 +13,7 @@ import (
"github.com/cilium/tetragon/api/v1/tetragon"
)

func filterByBinaryRegex(binaryPatterns []string) (hubbleFilters.FilterFunc, error) {
func filterByBinaryRegex(binaryPatterns []string, parent bool) (hubbleFilters.FilterFunc, error) {
var binaries []*regexp.Regexp
for _, pattern := range binaryPatterns {
query, err := regexp.Compile(pattern)
@@ -23,7 +23,13 @@ func filterByBinaryRegex(binaryPatterns []string) (hubbleFilters.FilterFunc, err
binaries = append(binaries, query)
}
return func(ev *v1.Event) bool {
process := GetProcess(ev)
var process *tetragon.Process
if parent {
process = GetParent(ev)

} else {
process = GetProcess(ev)
}
if process == nil {
return false
}
@@ -41,11 +47,25 @@ type BinaryRegexFilter struct{}
func (f *BinaryRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
var fs []hubbleFilters.FilterFunc
if ff.BinaryRegex != nil {
dnsFilters, err := filterByBinaryRegex(ff.BinaryRegex)
filters, err := filterByBinaryRegex(ff.BinaryRegex, false)
if err != nil {
return nil, err
}
fs = append(fs, filters)
}
return fs, nil
}

type ParentBinaryRegexFilter struct{}

func (f *ParentBinaryRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
var fs []hubbleFilters.FilterFunc
if ff.ParentBinaryRegex != nil {
filters, err := filterByBinaryRegex(ff.ParentBinaryRegex, true)
if err != nil {
return nil, err
}
fs = append(fs, dnsFilters)
fs = append(fs, filters)
}
return fs, nil
}
49 changes: 49 additions & 0 deletions pkg/filters/binary_regex_test.go
Original file line number Diff line number Diff line change
@@ -152,3 +152,52 @@ func TestBinaryRegexFilterInvalidEvent(t *testing.T) {
Event: &tetragon.GetEventsResponse_ProcessExec{ProcessExec: &tetragon.ProcessExec{Process: nil}},
}}))
}

func TestParentBinaryRegexFilter(t *testing.T) {
f := []*tetragon.Filter{{ParentBinaryRegex: []string{"bash", "zsh"}}}
fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&ParentBinaryRegexFilter{}})
assert.NoError(t, err)
ev := v1.Event{
Event: &tetragon.GetEventsResponse{
Event: &tetragon.GetEventsResponse_ProcessExec{
ProcessExec: &tetragon.ProcessExec{
Process: &tetragon.Process{Binary: "/sbin/iptables"},
},
},
},
}
assert.False(t, fl.MatchOne(&ev))
ev = v1.Event{
Event: &tetragon.GetEventsResponse{
Event: &tetragon.GetEventsResponse_ProcessExec{
ProcessExec: &tetragon.ProcessExec{
Parent: &tetragon.Process{Binary: "/bin/foo"},
Process: &tetragon.Process{Binary: "/sbin/iptables"},
},
},
},
}
assert.False(t, fl.MatchOne(&ev))
ev = v1.Event{
Event: &tetragon.GetEventsResponse{
Event: &tetragon.GetEventsResponse_ProcessExec{
ProcessExec: &tetragon.ProcessExec{
Parent: &tetragon.Process{Binary: "/bin/bash"},
Process: &tetragon.Process{Binary: "/sbin/iptables"},
},
},
},
}
assert.True(t, fl.MatchOne(&ev))
ev = v1.Event{
Event: &tetragon.GetEventsResponse{
Event: &tetragon.GetEventsResponse_ProcessExec{
ProcessExec: &tetragon.ProcessExec{
Parent: &tetragon.Process{Binary: "/bin/zsh"},
Process: &tetragon.Process{Binary: "/sbin/iptables"},
},
},
},
}
assert.True(t, fl.MatchOne(&ev))
}
1 change: 1 addition & 0 deletions pkg/filters/filters.go
Original file line number Diff line number Diff line change
@@ -84,6 +84,7 @@ func BuildFilterList(ctx context.Context, ff []*tetragon.Filter, filterFuncs []O
// Filters is the list of default filters
var Filters = []OnBuildFilter{
&BinaryRegexFilter{},
&ParentBinaryRegexFilter{},
&HealthCheckFilter{},
&NamespaceFilter{},
&PidFilter{},

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 4a3623f

Please sign in to comment.